|
The compliance deadline for the European Union’s General Data Protection Regulation (GDPR) is nearly upon us, the unveiling of a proposed model to bring WHOIS into compliance is said to come from ICANN next week, and everyone is scrambling to understand all that’s involved. Implementation of a revised WHOIS model is clearly on the horizon, but what comes after may be the real story! Specifically, if WHOIS information becomes more than nominally restricted, what’s the consequence to the data controllers (ICANN and the contracted parties) who implement this revised model?
WHOIS and Critical Tasks
WHOIS is critical for:
These are but a few examples and, while WHOIS may seem like an “aside” to the critical role domain names play on the Internet, this underlying ownership data is crucial to many functions that keep the domain name system secure and stable.
Curtailing WHOIS - Where will the Data Come From?
I understand that some registrars and registries have embraced—and even started engineering for—a compliance model very similar to ICANN’s Model 3, a system the European Commission itself says is probably too restrictive. If a system that obstructive is embraced, data may go away, but the need for that data to perform critical tasks does not. As one industry observer put it:
What the European Data Protection authorities have not yet put together is that the protection of people’s mental integrity on the Internet is not solely due to the action of law enforcement, but a cast of others (anti-spam/abuse initiates, DDoS mitigation, etc.) who are not law enforcement but do rely upon visibility into the DNS Whois to perform their services.
Significantly, respected security researcher Brian Krebs also made note of weakening security:
For my part, I can say without hesitation that few resources are as critical to what I do here…than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities.
So what happens next? Contracted parties have more than a small stake in the answer to that. Why? Because they’re the caretakers of WHOIS data, and in a world of curtailed WHOIS, the data necessary to critical tasks has to come from somewhere, and be brought to light somehow.
Let’s take IP rights enforcement. Say, conservatively, there are 1,000 queries a day (via port 43) to a registrar’s WHOIS. Now say, again conservatively, that 1% of those queries yields actionable information. The registrar, today, is off the hook, for the most part. The infringed-upon party usually pursues the matter and goes after ten “bad guys.”
In a restricted scenario, perhaps the registrar is now looking at 10 subpoenas for the previously publicly available data. But now assume a larger registrar gets one million queries a day. That 1% becomes 10,000 potential court actions to sort out. And that’s BEFORE the community arrives at a layered/gated model, with access offered to accredited third parties (potential mitigations that appear to be months away). I can’t imagine a registrar as large as GoDaddy or the Web.com family wants to deal with 10 court-sourced actions, never mind 10,000 or more—on a weekly or daily basis. Contracted parties need to very carefully consider these operational impacts when contemplating which models to implement or push for with ICANN ... as should ICANN.
Other Operational Impacts
A flood of legal service might not capture the whole picture.
Accuracy - the Other Liability Not being Considered
After GDPR models are implemented, now hiding behind a “gate” will be a database full of inaccurate or false information. We know this because today it is reported that even in Europe, less than half of WHOIS records contain data that meet operability standards. The European Commission’s recently released technical input on ICANN’s proposed GDPR-compliant WHOIS models underscored the GDPR’s “Accuracy” principle—making clear that reasonable steps should be taken to ensure the accuracy of any personal data obtained for WHOIS databases and that ICANN should be sure to incorporate this requirement in whatever model it adopts.
Many registry and registrar operators may be tempted to say, “So what? It’s what the registrant gave us and that’s where our obligation ends.” But the European Commission official who spoke during the February 22, 2018 discussion hosted by the BC and IPC indicated that controllers are responsible for the data quality under GDPR, and that inaccurate WHOIS data can be the basis of GDPR-based claims by data subjects and other recipients of inaccurate data. This certainly increases the risk to GDPR compliance and begs the question why ICANN wouldn’t ensure that contracted parties implement processes to validate and verify the contact information they allow into the WHOIS database.
Getting it Right
After months of discussion, review of countless documents and proposals, and many meetings, I’m still left feeling that we’re heading down a path that could result in a system with fewer benefits for all stakeholders and that we’re missing an opportunity to properly resolve a decades-old debate.
ICANN should move quickly to consult with all stakeholders to address critical elements of the resulting model, including e-mail address inclusion, verification for accuracy, bulk WHOIS access, and proper scoping. That model must include access to data for security and end-user protection—the latter cannot be imposed retroactively.
This is a critical move, before unintended consequences start to arrive.
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
I can’t imagine IP holders having enough throughput to pursue 10,000 court actions a day; they would prioritise, so the actual level even for the largest registrar wouldn’t be so high. And dealing with court actions might be cheaper than GDPR fines..
181 Million gTLDs
147 Million ccTLDS, the majority smack in the middle of the EU and GDPR compliant.
I think the question here is, what are these EU ccTLD registries and registrars doing and why can the ICANN community not do the same?
Nothing to fear but fear itself.